ukd1/graylog2_mapreduce_report.php

## graylog2_mapreduce_report.php
<?php
/**
 * A quick & dirty script that outputs a list of possible attacking IP address,
 * per host with a total count.
 *
 * Tweak the "THE_QUERY" constant to suit your environment - we use Debian & Ubuntu
 *
 * @author Russell Smith <russell.smith@ukd1.co.uk>
 * @copyright UKD1 Limited, 2011
 * @license ISC license
 */

/**
 * The name of your graylog2 database
 */
define('GRAYLOG2_DB', 'graylog2');

/**
 * The query to match against
 */
define('THE_QUERY', '/.+ssh.+(failed\ password|authentication\ failure|possible\ break\-in\ attempt|invalid\ user).+/i');


// Connect to MongoDB (default host - i.e. localhost)
$mongo = new Mongo();


// Select the configured database
$db = $mongo->selectDB(GRAYLOG2_DB);


// Map function - do a regex on the message and extract the first IP we come across
$map = new MongoCode('function () {
    var re = new RegExp(/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/);
    var rs = re.exec(this.message);
    if (rs == null) {
        emit("Oddly no ip found", 1);
    } else {
        emit(rs[0] + "," + this.host,1);
    }
}');


// Output the length of the array passed in (as we emit 1 per IP)
$reduce = new MongoCode("function (k, v_arr) {
    return v_arr.length;
}");


// Execute the MapReduce
$failed_logins = $db->command(array(
    "mapreduce" => "messages",
    "map" => $map,
    "reduce" => $reduce,
	"out"   => "failed_logins",
	"query" => array("message" => new MongoRegex(THE_QUERY))
	), array('timeout' => 0));

// Get the results, sorted by the most attempts
$fails = $db->selectCollection($failed_logins['result'])->find()->sort(array('value'=>-1));

// Output in a CSV style!
foreach ($fails as $fail)
{
	print "\n" . $fail['_id'] . ',' . $fail['value'];
}
	<?php
	/**
	* A quick & dirty script that outputs a list of possible attacking IP address,
	* per host with a total count.
	*
	* Tweak the "THE_QUERY" constant to suit your environment - we use Debian & Ubuntu
	*
	* @author Russell Smith <russell.smith@ukd1.co.uk>
	* @copyright UKD1 Limited, 2011
	* @license ISC license
	*/

	/**
	* The name of your graylog2 database
	*/
	define('GRAYLOG2_DB', 'graylog2');

	/**
	* The query to match against
	*/
	define('THE_QUERY', '/.+ssh.+(failed\ password\|authentication\ failure\|possible\ break\-in\ attempt\|invalid\ user).+/i');


	// Connect to MongoDB (default host - i.e. localhost)
	$mongo = new Mongo();


	// Select the configured database
	$db = $mongo->selectDB(GRAYLOG2_DB);


	// Map function - do a regex on the message and extract the first IP we come across
	$map = new MongoCode('function () {
	var re = new RegExp(/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/);
	var rs = re.exec(this.message);
	if (rs == null) {
	emit("Oddly no ip found", 1);
	} else {
	emit(rs[0] + "," + this.host,1);
	}
	}');


	// Output the length of the array passed in (as we emit 1 per IP)
	$reduce = new MongoCode("function (k, v_arr) {
	return v_arr.length;
	}");


	// Execute the MapReduce
	$failed_logins = $db->command(array(
	"mapreduce" => "messages",
	"map" => $map,
	"reduce" => $reduce,
	"out" => "failed_logins",
	"query" => array("message" => new MongoRegex(THE_QUERY))
	), array('timeout' => 0));

	// Get the results, sorted by the most attempts
	$fails = $db->selectCollection($failed_logins['result'])->find()->sort(array('value'=>-1));

	// Output in a CSV style!
	foreach ($fails as $fail)
	{
	print "\n" . $fail['_id'] . ',' . $fail['value'];
	}